By Morgan Lucas (she/her)

This was a blog series in three parts, because it took a lot to figure out.

What is Terraform?

Hashicorp’s once-open source language used to deploy infrastructure using Infrastructure As Code. Can be used in Azure and AWS — And I’ve used it in both.

Why would I want to secure Terraform?

Mainly, consistency. In this particular instance, we wanted bucket names to be stylized the same way. You can also use tools like rego or tfsec to make sure buckets have proper security settings, to not be open to the wider internet.

<aside> 1️⃣ This is Part 1

</aside>

As this was contract work, I can't show you the exact code used, but I can tell you that this blog post by Cesar Rodriguez of Cloud Security Musings was quite helpful, as well as this one by Chris Ayers.

The issue is using Rego; I found a cool VS Code Extension; Terrascan Rego Editor, as well as several courses on Styra Academy; Policy Authoring and Policy Essentials.

rego is probably excellent for those who know their way around a programming language, but I kept coming across some many different ways to stylize it, I got confused, and not yet having the knowledge on where the program should be looking made rego frustrating.

<aside> 2️⃣ This is Part 2

</aside>

I had gone from tfsec to Trivy at this point.

There was an odd combination of YAML with a bit of rego involved for tfsec -- can we do that here?

I had to search the example in the config files because Trivy scans each category of infrastrcture and they have their own folders, which are mostly empty.